Appendix B. Resources

General

References

• The official Kubernetes documentation

• The Kubernetes community on GitHub

Books

• Container Security by Liz Rice (O’Reilly)

• Kubernetes: Up and Running by Kelsey Hightower, Brendan Burns, and Joe Beda (O’Reilly)

• Cloud Native DevOps with Kubernetes by John Arundel and Justin Domingus (O’Reilly)

• Managing Kubernetes by Brendan Burns and Craig Tracey (O’Reilly)

• Kubernetes Cookbook by Sébastien Goasguen and Michael Hausenblas (O’Reilly)

• Cybersecurity Ops with bash by Paul Troncone and Carl Albing (O’Reilly)

Further Reading by Chapter

Intro

For Chapter 1 we suggest the following resources:

• Threat Modeling Manifesto

• Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence by Nihad Hassan and Rami Hijazi (Apress)

• The Tao of Open Source Intelligence by Stewart Bertram (IT Governance Publishing)

• “SANS SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis”

Pods

For Chapter 2 we suggest the following resources:

• Awesome Kubernetes Security

• “My Arsenal of Cloud Native (Security) Tools”

• “5 Must-Have Kubernetes Security Tools”

• Kubernetes YAML Generator

• Google Cloud’s “Why Container Security Matters to Your Business”

• A comprehensive Kubernetes FAQ

• “Attacking Kubernetes Clusters Through Your Network Plumbing”

• Kubernetes Volumes Guide

Further, tooling relevant in this context:

• Cloud Container Attack Tool (CCAT)

• Peirates (Kubernetes penetration testing tool)

• Hunt for security weaknesses in Kubernetes clusters

• A container analysis and exploitation tool for pentesters and engineers

• Docker Enumeration, Escalation of Privileges and Container Escapes

• Ed is a tool used to identify and exploit accessible UNIX Domain Sockets

• RedNix: Hackable NixOS container

Supply Chains

For Chapter 4 we suggest the following resources:

• “Vulnerabilities in the Core Preliminary Report and Census II of Open Source Software”

• CII Best Practices Badge Program

• SPDX specifications

• OWASP Dependency Track

• A Go implementation of in-toto with certificate constraint support

• “Supply Chain Security By Verification - Mitigating Supply Chain Attacks”

• “Security Considerations for Code Signing”

• NCSC’s “Supply chain security guidance”

• MITRE’s “Supply Chain Attack Framework and Attack Patterns”

• Microsoft Supply Chain Integrity Model (SCIM)

Further, tooling relevant in this context:

• OWASP Packman

• Security Scorecards

• Open Source Project Criticality Score (Beta)

• OSS Review Toolkit (ORT)

• Google Binary Authorization/SLSA

• syft: generate Software Bill of Materials (SBOM) from container images

• Rekor

• Ploigos Software Factory Operator

• in-toto: A framework to secure the integrity of software supply chains

• sigstore

Networking

For Chapter 5 we suggest the following resources:

• “Securing Your Apps in Kubernetes with NGINX App Protect”

• “Kubernetes Ingress with AWS ALB Ingress Controller”

• “Exploring Network Policies in Kubernetes”

• “Best Practices for Kubernetes Network Policies”

• “Securing Kubernetes Cluster Networking”

• NIST Special Publication 800-204A: “Building Secure Microservices-based Applications Using Service-Mesh Architecture”

• “How to Secure Containers in a Service Mesh such as Istio and Linkerd2”

• “Istio Security: Running Microservices on Zero-Trust Networks”

• App Mesh TLS

Further, tooling relevant in this context:

• CNCF Falco

• Sysdig Secure

• NeuVector

• Snyk Container

• Prisma Cloud

• StackRox

• Aqua Security

• AccuKnox

Policy

For Chapter 8 we suggest the following resources:

• “Effective RBAC” - Jordan Liggitt

• “Configure RBAC in your Kubernetes Cluster”

• “Testing Kubernetes RBAC”

• “3 Realistic Approaches to Kubernetes RBAC”

• “Enforcing Policy as Code using OPA and Gatekeeper in Kubernetes”

• “Rego Unit Testing”

• OPA, oso, oh no!

• “Record AWS API calls to improve IAM Policies”

Further, tooling relevant in this context:

• Krane: Kubernetes RBAC Analysis made Easy

• audit2rbac

• RBAC View

• rback

• Permission manager

Notable CVEs

Note

Unless noted, these CVEs are patched, and are here to serve only as a historical reference.

CVE-2017-1002101

Subpath volume mount mishander. Containers using subpath volume mounts with any volume type (including nonprivileged pods subject to file permissions) can access files/directories outside of the volume including the host’s filesystem.

CVE-2017-1002102

Downward API host filesystem delete. Containers using a Secret, ConfigMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

CVE-2017-5638

(Non-Kubernetes) Apache Struts invalid Content-Type header parsing failure, allowing arbitrary code execution. The bug in the Jakarta Multipart parser registered the input as OGNL code, converted it to an executable, and moved it to the server’s temporary directory.

CVE-2018-1002105

API server websocket TLS tunnel error mishandling. Incorrect error response handling of proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers. Subsequent arbitrary requests over the same connection transit directly to the backend authenticated with the Kubernetes API server’s TLS credentials.

CVE-2019-16884

runc hostile image AppArmor bypass. Allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

CVE-2019-5736

runc /proc/self/exe. runc allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

CVE-2019-11249

kubectl cp scp reverse write. To copy files from a container Kubernetes runs tar inside the container to create a Tar archive, and copies it over the network where kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.

CVE-2018-18264

Kubernetes Dashboard before v1.10.1 allows attackers to bypass authentication and use Dashboard’s ServiceAccount for reading Secrets within the cluster.

CVE-2019-1002100

API Server JSON patch Denial of Service. Users that are authorized to make HTTP PATCH requests to the Kubernetes API Server can send a specially crafted patch of type “json-patch” (e.g., kubectl patch --type json or "Content-Type: application/json-patch+json") that consumes excessive resources while processing.

CVE-2018-1002100

Original kubectl cp. The kubectl cp command insecurely handles tar data returned from the container and can be caused to overwrite arbitrary local files.

CVE-2019-1002101

Similar to CVE-2019-11249, but extended in that the untar function can both create and follow symbolic links.

CVE-2019-11245

mustRunAsNonRoot: true bypass. Containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node

CVE-2019-11247

Cluster RBAC mishandler. The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped custom resource if the request is made as if the resource were namespaced. Authorizations for the resource accessed in this manner are enforced using roles and role bindings within the namespace meaning that a user with access only to a resource in one namespace could create, view, update, or delete the cluster-scoped resource (according to their namespace role privileges).

CVE-2019-11248

kubelet /debug/pprof information disclosure and denial of service. The debugging endpoint /debug/pprof is exposed over the unauthenticated kubelet healthz healthcheck endpoint port, which can potentially leak sensitive information such as internal Kubelet memory addresses and configuration or for limited denial of service.

CVE-2019-11250

Side channel information disclosure. The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) which make use of basic or bearer token authentication and run at high verbosity levels are affected.

CVE-2020-8558

kube-proxy unexpectedly makes localhost-bound host services available on the network.

CVE-2020-14386

Integer overflow from raw packet on the “loopback” (or localhost) network interface. Removing this with sysctl -w kernel.unprivileged_userns_clone=0 or denying CAP_NET_RAW protects unpatched kernels from exploitation.

CVE-2021-22555

Linux Netfilter local privilege escalation flaw. When processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) a local user may exploit memory corruption to gain privileges or cause a DoS via a user namespace. A kernel compiled with CONFIG_USER_NS and CONFIG_NET_NS allows an unprivileged user to elevate privileges.

CVE-2021-25740 (unpatched)

Endpoint and EndpointSlice permissions allow cross-Namespace forwarding. users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.

CVE-2021-31440

Incorrect bounds calculation in the Linux kernel eBPF verifier. By bypassing the verifier, this can exploit out-of-bounds kernel access to escape, and the original proof of concept set UID and GID to 0 and gained CAP_SYS_MODULE to load an arbitrary kernel outside the container.

CVE-2021-25741

Symlink exchange can allow host filesystem access. A user may be able to create a container with subpath volume mounts to access files and directories outside of the volume, including on the host filesystem.